on 09-05-2018 12:30 PM
Hello Experts,
We have SAP Netweaver 7.50 AS JAVA System on which recently we tried to install SSO 3.0. After that we took restart of JAVA system. Since then we are not able to get NWA/System Information/User Management portals with Java Exception java.lang.StackOverflowError. We checked system is running & able to get StartPage.
You can check below screen shot & Default Trace File Logs for reference.500-internal-server-error.png
<!--LOGHEADER[START]/--> <!--HELP[Manual modification of the header may cause parsing problem!]/-->
<!--LOGGINGVERSION[2.0.7.1006]/-->
<!--NAME[./log/defaultTrace_00.trc]/-->
<!--PATTERN[defaultTrace_00.trc]/--> <!--FORMATTER[com.sap.tc.logging.ListFormatter]/-->
<!--ENCODING[UTF8]/--> <!--FILESET[14, 20, 10485760]/-->
<!--PREVIOUSFILE[defaultTrace_00.13.trc]/-->
<!--NEXTFILE[defaultTrace_00.15.trc]/--> <!--ENGINEVERSION[7.50.3301.412283.20170118095719]/-->
<!--LOGHEADER[END]/--> #2.0#2018 09 05 14:44:33:341#+0530#Error#com.sap.engine.services.security.authentication.logincontext.table# #BC-JAS-SEC#security#C000C0A8020D002C0000000300004805#4568850000000004#sap.com/tc~lm~itsam~ui~mainframe~wd#com.sap.engine.services.security.authentication.logincontext.table#Guest#0##191700B1B0EC11E8A50400000045B712#c489be5eb0e311e8bfe9902b34b5a638##0#Thread[HTTP Worker [@477089047],5,Dedicated_Application_Thread]#Plain## LOGIN.FAILED
User: N/A IP
Address: 192.168.2.153
Authentication Stack: sap.com/tc~lm~itsam~ui~mainframe~wd*webdynpro_resources_sap.com_tc~lm~itsam~ui~mainframe~wd
Authentication Stack Properties: policy_domain = /webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd realm_name = Upload Protected Area Login Module Flag Initialize
Login Commit Abort Details 1. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule SUFFICIENT ok false 2. com.sap.security.jaas.rba.RBALoginModule REQUIRED ok exception null 3. com.sap.security.jaas.otp.TOTPLoginModule SUFFICIENT ok \#1 BasicPasswordLoginModule.UserMappingMode = Email \#2 mode = otp&pwd \#3 tfa.first.factor.login.module = BasicPasswordLoginModule \#4 UserMappingMode = Email
No logon policy was applied#
#2.0#2018 09 05 14:44:33:356#+0530#Error#com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl# com.sap.ASJ.web.000137#BC-NWA-INC-UIF#sap.com/tc~lm~itsam~ui~mainframe~wd#C000C0A8020D002C0000000400004805#4568850000000004#sap.com/tc~lm~itsam~ui~mainframe~wd#com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl#Guest#0#
#191700B1B0EC11E8A50400000045B712#c489be5eb0e311e8bfe9902b34b5a638##0#Thread[HTTP Worker [@477089047],5,Dedicated_Application_Thread]#Plain#
# Cannot process an HTTP request to servlet [dispatcher] in [webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd] web application. [EXCEPTION] java.lang.StackOverflowError
Need your suggestion for getting this problem solve.
Regards,
Prasad D.
Hi Prasad,
I know this isn't exactly the error you're getting, but have you looked into whether this might be related to filtering of remote access to administration tools? By default, a newly-installed AS Java system doesn't allow remote access to NWA, so if you want to avoid having to remote console to the machine every time you want to administer it, you need to tweak the icm_filter_rules file.
I wrote about doing this for Windows systems at https://blogs.sap.com/2015/01/28/netweaver-74-sr2-java-basic-configuration/#jive_content_id_NetWeave..., it's discussed in a Wiki at https://wiki.scn.sap.com/wiki/display/Basis/Remote%2Baccess%2Bto%2BNetWeaver%2BAdministration%2Bis%2..., and addressed in Note 1451753.
Perhaps it's as simple as this? If so, this then might also help you with your other issue raised at https://answers.sap.com/questions/624205/how-to-remove-logon-policy-scripts-which-were-impo.html.
Cheers,
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Matt,
Thanks for your guidance but I can not see Comment or Reply option below your comment
Just having a Answer option hence writing in answer field.
Also as per your suggestions I checked in icm-filter-rules.txt & Default Profile where configuration is Ok.
SAPDBHOST = sapsrv3
j2ee/dbtype = syb
j2ee/dbname = J2E
j2ee/dbhost = sapsrv3
SAPSYSTEMNAME = J2E
OS_UNICODE = uc
SAPGLOBALHOST = sapsrv3
system/type = J2EE
service/protectedwebmethods = SDEFAULT
#-----------------------------------------------------------------------
# SAP Central Service Instance for J2EE
#-----------------------------------------------------------------------
j2ee/scs/host = sapsrv3
j2ee/scs/system = 01
j2ee/ms/port = 3901
#icm/server_port_0 = PORT=HTTP,PORT=1080,TIMEOUT=30,PROCTIMEOUT=600
icm/HTTP/mod_0 = PREFIX=/,FILE=$(DIR_GLOBAL)/security/data/icm_filter_rules.txt
dbms/type = syb
dbs/syb/schema = SAPSR3DB
dbs/syb/server = sapsrv3
dbs/syb/dbname = J2E
dbs/syb/port = 4901
j2ee/dbport = 4901
rsdb/ssfs_connect = 1
dbs/syb/cache_size = 300
rsec/ssfs_datapath = /usr/sap/J2E/SYS/global/security/rsecssfs/data
rsec/ssfs_keypath = /usr/sap/J2E/SYS/global/security/rsecssfs/key
.
Below is icm_filter_rules file
.
# ICM Rewrite Rules for NWA (restrict access to local host)
#if %{REMOTE_ADDR} !stricmp 127.0.0.1 [AND]
#if %{REMOTE_ADDR} !stricmp ::1 [AND]
#if %{REMOTE_ADDR} !regimatch 192.168.2.*
#RegIRedirectUrl ^/webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/.*$ /nwa/remote_access_error [QSA]
.
Regards,
Prasad D.
Prasad,
Your icm_filter_rules.txt file, as shown above, will restrict remote access to NWA, so that is the problem. You have the critical lines commented out with "#," so if you just remove that symbol, I think it will work. In other words, it should look like this:
# ICM Rewrite Rules for NWA (restrict access to local host and internal segment)
if %{REMOTE_ADDR} !stricmp 127.0.0.1 [AND]
if %{REMOTE_ADDR} !stricmp ::1 [AND]
if %{REMOTE_ADDR} !regimatch 192.168.2.*
RegIRedirectUrl ^/webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/.*$ /nwa/remote_access_error [QSA]
Give that a try, restart the application, and see if your NWA access works.
Cheers,
Matt
Hello Matt,
I have tried as per your suggestion by removing # character from icm_filter_rules.txt file & after taking restart problem doesn't get solved.
.
# ICM Rewrite Rules for NWA (restrict access to local host)
if %{REMOTE_ADDR} !stricmp 127.0.0.1 [AND]
if %{REMOTE_ADDR} !stricmp ::1 [AND]
if %{REMOTE_ADDR} !regimatch 192.168.2.*
RegIRedirectUrl ^/webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/.*$ /nwa/remote_access_error [QSA]
.
Here I'm pasting Latest Default Trace of the system.
.
<!--LOGHEADER[START]/-->
<!--HELP[Manual modification of the header may cause parsing problem!]/-->
<!--LOGGINGVERSION[2.0.7.1006]/-->
<!--NAME[./log/defaultTrace_00.trc]/-->
<!--PATTERN[defaultTrace_00.trc]/-->
<!--FORMATTER[com.sap.tc.logging.ListFormatter]/-->
<!--ENCODING[UTF8]/-->
<!--FILESET[4, 20, 10485760]/-->
<!--PREVIOUSFILE[defaultTrace_00.3.trc]/-->
<!--NEXTFILE[defaultTrace_00.5.trc]/-->
<!--ENGINEVERSION[7.50.3301.412283.20170118095719]/-->
<!--LOGHEADER[END]/-->
#2.0#2018 09 10 10:36:17:622#+0530#Error#com.sap.engine.services.security.authentication.logincontext.table#
#BC-JAS-SEC#security#C000C0A8020D002D0000001200000567#4568850000000060#sap.com/tc~lm~itsam~ui~mainframe~wd#com.sap.engine.services.security.authentication.logincontext.table#Guest#0##3BA3DA00B4B711E8AB2F00000045B712#d92971efb4b611e89c4e902b34b5a638##0#Thread[HTTP Worker [@1329487032],5,Dedicated_Application_Thread]#Plain##
LOGIN.FAILED
User: N/A
IP Address: 192.168.2.153
Authentication Stack: sap.com/tc~lm~itsam~ui~mainframe~wd*webdynpro_resources_sap.com_tc~lm~itsam~ui~mainframe~wd
Authentication Stack Properties:
policy_domain = /webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd
realm_name = Upload Protected Area
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule SUFFICIENT ok false
2. com.sap.security.jaas.rba.RBALoginModule REQUIRED ok exception null
3. com.sap.security.jaas.otp.TOTPLoginModule SUFFICIENT ok
\#1 BasicPasswordLoginModule.UserMappingMode = Email
\#2 mode = otp&pwd
\#3 tfa.first.factor.login.module = BasicPasswordLoginModule
\#4 UserMappingMode = Email
No logon policy was applied#
#2.0#2018 09 10 10:36:17:626#+0530#Error#com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl#
com.sap.ASJ.web.000137#BC-NWA-INC-UIF#sap.com/tc~lm~itsam~ui~mainframe~wd#C000C0A8020D002D0000001300000567#4568850000000060#sap.com/tc~lm~itsam~ui~mainframe~wd#com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl#Guest#0##3BA3DA00B4B711E8AB2F00000045B712#d92971efb4b611e89c4e902b34b5a638##0#Thread[HTTP Worker [@1329487032],5,Dedicated_Application_Thread]#Plain##
Cannot process an HTTP request to servlet [dispatcher] in [webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd] web application.
[EXCEPTION]
java.lang.StackOverflowError
at com.sap.engine.services.servlets_jsp.server.runtime.client.HttpParametersWrapper.getApplicationSession(HttpParametersWrapper.java:38)
at com.sap.engine.services.servlets_jsp.server.runtime.client.RequestContext.getSession(RequestContext.java:595)
at com.sap.engine.services.servlets_jsp.server.runtime.client.HttpServletRequestFacadeWrapper.getSession(HttpServletRequestFacadeWrapper.java:327)
at com.sap.engine.interfaces.security.auth.AbstractWebCallbackHandler.getAttributeFromSession(AbstractWebCallbackHandler.java:1404)
at com.sap.engine.interfaces.security.auth.AbstractWebCallbackHandler.parseUserNameAndPassword(AbstractWebCallbackHandler.java:3007)
at com.sap.engine.interfaces.security.auth.AbstractWebCallbackHandler.handle(AbstractWebCallbackHandler.java:2430)
at com.sap.engine.interfaces.security.auth.AbstractWebCallbackHandler.handle(AbstractWebCallbackHandler.java:1144)
at com.sap.engine.interfaces.security.auth.AbstractWebCallbackHandler.handle(AbstractWebCallbackHandler.java:698)
at com.sap.security.jaas.otp.TFACallbackHandler.handleSingleCallback(TFACallbackHandler.java:76)
at com.sap.security.jaas.otp.TFACallbackHandler.handle(TFACallbackHandler.java:67)
at com.sap.security.jaas.otp.ReplayableCallbackHandler.handle(ReplayableCallbackHandler.java:48)
at com.sap.security.jaas.otp.TFACallbackHandler.handleSingleCallback(TFACallbackHandler.java:76)
at com.sap.security.jaas.otp.TFACallbackHandler.handle(TFACallbackHandler.java:67)
at com.sap.security.jaas.otp.modes.OTPAndPwdMode.handleNameAndPasswordCallbacks(OTPAndPwdMode.java:1360)
at com.sap.security.jaas.otp.modes.OTPAndPwdMode.handleCredentials(OTPAndPwdMode.java:1160)
at com.sap.security.jaas.otp.modes.OTPAndPwdMode.firstStageLogin(OTPAndPwdMode.java:449)
at com.sap.security.jaas.otp.modes.OTPAndPwdMode.login(OTPAndPwdMode.java:198)
at com.sap.security.jaas.otp.TOTPLoginModule.login(TOTPLoginModule.java:51)
at com.sap.security.jaas.otp.modes.OTPAndPwdMode.callEmbeddedLoginModule(OTPAndPwdMode.java:800)
at com.sap.security.jaas.otp.modes.OTPAndPwdMode.firstStageLogin(OTPAndPwdMode.java:456)
at com.sap.security.jaas.otp.modes.OTPAndPwdMode.login(OTPAndPwdMode.java:198)
at com.sap.security.jaas.otp.TOTPLoginModule.login(TOTPLoginModule.java:51)
#2.0#2018 09 10 10:36:17:646#+0530#Error#com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl#
com.sap.ASJ.web.000137#BC-NWA-INC-UIF#sap.com/tc~lm~itsam~ui~mainframe~wd#C000C0A8020D002D0000001500000567#4568850000000060#sap.com/tc~lm~itsam~ui~mainframe~wd#com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl#Guest#0##3BA3DA00B4B711E8AB2F00000045B712#d92971efb4b611e89c4e902b34b5a638##0#Thread[HTTP Worker [@1329487032],5,Dedicated_Application_Thread]#Plain##
Cannot process an HTTP request to servlet [dispatcher] in [webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd] web application.
For more details on the problem please check traces searching by logId: C000C0A8020D002D0000001300000567#
#2.0#2018 09 10 10:36:17:671#+0530#Error#com.sap.engine.services.servlets_jsp.ISE500#
com.sap.ASJ.web.000500#BC-NWA-INC-UIF#sap.com/tc~lm~itsam~ui~mainframe~wd#C000C0A8020D002D0000001600000567#4568850000000060#sap.com/tc~lm~itsam~ui~mainframe~wd#com.sap.engine.services.servlets_jsp.ISE500#Guest#0##3BA3DA00B4B711E8AB2F00000045B712#d92971efb4b611e89c4e902b34b5a638##0#Thread[HTTP Worker [@1329487032],5,Dedicated_Application_Thread]#Plain##
500 Internal Server Error is returned for HTTP request [http://192.168.2.13:50000/webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/FloorPlanApp]:
component [dispatcher],
web module [webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd],
application [sap.com/tc~lm~itsam~ui~mainframe~wd],
DC name [sap.com/tc~lm~itsam~ui~mainframe~wd],
CSN component[BC-NWA-INC-UIF],
problem categorization [com.sap.ASJ.web.000137],
internal categorization [859771996].
Regards,
Prasad D
I think perhaps you have a misconfiguration somewhere in your authentication stack. Your next step could be to run a Security Troubleshooting Wizard trace as described in Note 1332726. Also make sure your URL is properly formatted, and that you aren't calling NWA with any URL parameters, such as "?saml2=disabled," etc. Try calling the tool with just http://<server>:<port>/nwa, and nothing else. Have a look at Notes 2676971 and 2673983 for some examples.
You are getting an error with the RBALoginModule in your authentication stack, and then the stack is followed with "no logon policy was applied." This is what I suspect you should focus your efforts on troubleshooting, and I think the wizard will help with that.
Hello Matt,
I also think the problem might in Authentication Stack or Logon Policy Scripts but exactly where which is I'm unable to find.
As per suggested note 1332726, I have started Security Troubleshooting Wizard & collected the traces but there are of big size 27MB, I cannot attach them here.
So is there any way, that I can send you these traces in .ZIP file?
Also I tried with direct links as (host):(port)/nwa & /useradmin but same 500 Internal Server Error still exists.
Below is the screen shot for Statistics for server.
Kindly suggest is there any way to remove applied Logon Policy Scripts from OS level as NWA is not getting.
Regards,
Prasad D.
The traces collected with the troubleshooting wizard are really for your own use to go through, or to attach to a Customer Incident if you've opened one with SAP Support (which at this point I think you should do). You might want to try collecting them again, but be sure to only turn the trace on right before the point of failure, and turn it off again immediately after, to minimize how much extraneous data is collected. The main thing is to look through the traces yourself to see if anything jumps out at you as a culprit.
Are you sure your system isn't running out of memory?
Dear Prasad,
Hope you are doing good.
SAP KBA ##2255173 - '"500 Internal Server" due to java.lang.StackOverflowError
seems to deal with the same issue. If this is still not working, attach the latest default trace files from /usr/sap/<SID>/J<nr>/j2ee/server*/logs/defaultTrace*
Kind Regards,
Hemanth Kumar
SAP Product Support
_ _ _ _ _ _ _ _ _ _ _
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Hemanth,
Thanks for your concern.
I have already checked the Note 2255173 & as per note we have same configuration in our system as per below screen shot.
.
I am not able to upload Latest Default Trace file as
I am getting below error while uploading .txt (979kb) or Zip(.rar) file.
Regards,
Prasad D.
Hello Prasad,
Just a quick note, if you want to reply to an answer someone has given you, it is best to do so as a 'comment' on that answer by hitting the 'Reply' button directly under the answer, and not as a new 'answer' to the main question. Doing the former will cause a notification to be sent to the person you are replying to; doing the latter will not, and so they may not notice that you have replied.
Also, you'll note that I have taken the liberty of 'converting' your answer into a comment, so now Hemanth will have been notified.
Cheers,
Matt Fraser
SAP Community Moderator
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.